8 Cyber Security Questions to Ask Your Cloud Service Provider
If you have decided to migrate your business to the cloud, you have to thoroughly scrutinize the security protocols of your chosen provider. No matter how much of your digital presence is in the cloud, you have to ensure your service provider has the best security measures in place to protect its infrastructure from cyber threats. What makes cloud computing so convenient is extensive connectivity, but that is also what is making systems like this vulnerable to cyber attacks – making the security issue one of the most critical components of its overall operations. Assuming all other boxes have been checked for your cloud computing needs, here are the cyber security questions you need to ask your cloud provider before completing the vetting process.
What types of data centers do you use and how many?
The type of data center, (Tier 1, 2, 3, 4) will determine the service level agreement (SLA) it can provide. Tier 4 data centers are the most secure, requiring fault tolerant equipment including servers, storage, uplinks, heating, chillers and more. The availability guarantee for Tier 4 is 99.995 percent uptime, followed by 99.982 percent uptime for Tier 3, 99.749 percent uptime for Tier 2, and 99.671 percent uptime for Tier 1.
In addition to the types, find out how many data centers the company uses. The more redundancies it has, the better your chances for ensuring the safety of your data and rapid recovery.
What certifications do you currently hold for your data centers?
Your business might have to comply with the Health Insurance Portability and Accountability Act (HIPAA,) Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standards (PCI DSS) or other regulations. Make sure the service provider you choose has compliance certifications in the areas critical to your business. Ask to see certifications and audits of compliance.
How reliable is your network infrastructure?
In addition to security, you need to ask about the reliability of the connectivity between you and the vendor’s network. What is its availability, traffic throughput (such as bandwidth), latency and packet loss? Knowing the answers to these questions will let you know how quickly you can access the resources you need when you need them.
What is your disaster recovery plan?
Your service provider must have a disaster recovery plan designed to minimize the downtime of its operations. Make sure to ask what the plan is. This will also let you know where the company stores your data in the event of a breach or a major disaster.
Do you have formal written information security policies?
If a service provider has formalized security policies, they should be able to produce a written out version of those policies for your inspection. A well-written policy backed by quality SLAs is a good indicator of the security program’s maturity.
What happens if the business folds or merges with another company?
Ask for a written plan dealing with the solvency of the company, whether it goes out of business or is part of a merger and acquisition. This includes time tables for transferring all of your data. While on the subject of transferring data, you should also ask about the policy for changing to another provider.
How is your physical security?
A data center is only as good as its physical security. If anyone can easily access the center, it means the servers can be compromised. Ask about the type of physical security in place at the data centers your service provider uses. That security should be in place 365 days of the year.
How do you dispose of end-of-life hardware and failed data storage devices?
This is a question that might be overlooked, but remember you are responsible for the data that was given to you by your customers. The disposal process must be thorough and absolute. This means there is no chance of anyone using the discarded products to retrieve the data within them.
These are not the only questions to ask, not by a long shot. Depending on how much of your operations you have migrated to the cloud, the cloud service provider will have key operational assets of your organization. If for any reason the vendor fails to provide the service as promised, your reputation is on the line. So don’t hesitate to ask any question which might compromise what you have worked so hard to build.